Bug#559808: CVE-2009-3736 local privilege escalation
This is fixed in 0.8.9-1, isn't it? smime.p7s Description: S/MIME cryptographic signature
Bug#559808: CVE-2009-3736 local privilege escalation
tags 559808 + help
thanks
On Wed, Dec 30, 2009 at 01:29:50PM +0100, Moritz Muehlenhoff wrote:
Gnash already has a Build-Depennds on the shared copy, but it appears
as if only the hppa build links against the system copy. I suppose
this needs to be configured explicitely by passing --without-included-ltdl
to the configure call.
I've been rebuilding gnash passing explicitly --without-included-ltdl
(patch attached), but that does not seem to be enough to have the main
gnash package linked against system-wide ltdl. ldd confirms that the
gtk-gnash executable is not linked against ltdl, whereas the other
binary packages of gnash does link against the system-wide library (that
was the case also without the patch).
At first sight configure.ac seems to be doing the right thing in _not_
forcing the convenience library (it does that only if older versions of
libltdl are found in the sources, which is no longer the case).
Bottom line: some more investigation is needed
Maintainer: any comment?
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...| ..: | Je dis tu à tous ceux que j'aime
diff -u gnash-0.8.6/debian/changelog gnash-0.8.6/debian/changelog
--- gnash-0.8.6/debian/changelog
+++ gnash-0.8.6/debian/changelog
@@ -1,3 +1,11 @@
+gnash (0.8.6-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Force building against system version of libltdl. Fix CVE-2009-3736
+(on all archs). (Closes: #559808)
+
+ -- Stefano Zacchiroli z...@debian.org Sun, 24 Jan 2010 15:56:05 +0100
+
gnash (0.8.6-2) unstable; urgency=low
[ Miriam Ruiz ]
diff -u gnash-0.8.6/debian/rules gnash-0.8.6/debian/rules
--- gnash-0.8.6/debian/rules
+++ gnash-0.8.6/debian/rules
@@ -63,6 +63,7 @@
--with-npapi-plugindir=\$${prefix}/lib/gnash \
--with-kde-pluginprefix=\$${prefix} \
--with-plugins-install=system \
+ --without-included-ltdl \
--enable-shared=yes \
--enable-sdk-install \
--enable-lotsa-warnings \
Bug#559808: CVE-2009-3736 local privilege escalation
On Sun, Dec 06, 2009 at 11:55:11PM -0500, Michael Gilbert wrote: Package: gnash Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the package is not affected, please feel free to close the bug with a message containing the details of what you did to check. Gnash already has a Build-Depennds on the shared copy, but it appears as if only the hppa build links against the system copy. I suppose this needs to be configured explicitely by passing --without-included-ltdl to the configure call. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559808: CVE-2009-3736 local privilege escalation
Package: gnash Severity: grave Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for libtool. I have determined that this package embeds a vulnerable copy of the libtool source code. However, since this is a mass bug filing (due to so many packages embedding libtool), I have not had time to determine whether the vulnerable code is actually present in any of the binary packages. Please determine whether this is the case. If the package is not affected, please feel free to close the bug with a message containing the details of what you did to check. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so if your package is affected, please coordinate with the security team to release the DSA for the affected packages. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
